Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:30 AM
Connect Directly

The Biggest Threat? It May Be You

When it comes to virtual server security, you might just be the weak link. Or, more precisely, your lack of planning, maintenance, and governance of that VM server farm.

InformationWeek Supplement 6/22/2009, sponsored by Novell InformationWeek Green
Find out about more about virtualization and the cloud in our digital supplement, part of InformationWeek's Green Initiative to reduce our carbon footprint.
Download Now
(Registration required)

Illustration by Jupiterimages We're halfway through 2009, and still no reports of production hosts being hyperjacked, leaving servers at the mercy of a compromised hypervisor. So what about all those dire 2007 predictions of virtualization-fueled havoc from third-party APIs, virtual NIC drivers, guest escalation breakouts, or compromised hypervisors? Anyone?

The only real-world vulnerability related to virtualization that's been reported for a major vendor was Microsoft's hypervisor privilege escalation vulnerability on the embedded hypervisor running Xbox 360s from the 2006 model year. No vulnerabilities have hit Hyper-V or Virtual PC.

As virtualization has gone mainstream and virtual machines have sprawled across data centers over the past few years, IT and security pundits repeatedly raised the bogeyman of compromised hypervisors. Black Hat seminars continue to debate potential risks and exploits. Gartner predicted there would be a hypervisor vulnerability worthy of a patch by the end of last year. Did any of the 19 security patches that VMware released in 2008 count as patch-worthy? Of course they did. Whether any of them patched a likely real-world exploit is up for debate.

The reality is that virtualization is simply software. Tightly written bundles of highly efficient code, designed with a hard crunchy shell, but software nonetheless. As with any complex, widely adopted program, there have been code and design flaws, and there will be more.

Given that, what are the likely threats? Virtual servers are just servers. The hardware abstraction and flexibility inherent in virtualization yields untethered VMs that are easy to create, deploy, shelve, and, well, even lose track of. The biggest threats to your virtualized world aren't bad guys wielding BIOS viruses, mythical blue pills, or a dastardly new method of usurping control of underlying host platforms. Rather, the weakest link is your own lack of planning, care, maintenance, and governance over your Wild West, devil-may-care VM farm.

Shore Up Standard Defenses
There's a long list of security concerns in small and large virtualized shops. You should be concerned about potential exploits allowing guest VMs to break out of their jails and into the host or hypervisor tier, says Greg Shipley, CTO at information security consulting firm Neohapsis, but you should be more concerned about unpatched guest VMs lurking forgotten on a test host or shuttling from host to host via poor live migration rule sets. Hyperjacking and intrahost risks are concerns, "but is that the right battle to fight?" he asks.

Just about everyone can benefit from basic risk management thinking, where the likelihood of a threat is plotted against the potential impact and remediation effort and cost, Shipley says. Most companies have basic security design and infrastructure concerns that arch over physical and virtualized environments. As boring as it sounds, addressing those security concerns will have a greater impact on overall safety than any single-purpose VM tool. Put another way, focusing on VM-specific solutions is premature if your physical shop is at risk.

Any unpatched server is a security risk, and a test or production VM, with management authority delegated to a business unit or development team, is a serious risk. Even if you have an automated patch management system or a formal in-house patch management strategy, you probably aren't 100% certain that all your VMs' OS and application instances are up to date. Attackers will probe your network for common exploits, and an unpatched Win2K3 server with a known hole is an easy mark. Bad guys don't care if the server is physical or virtual. They're just looking for exploitable targets.

Traditional automated patching strategies don't take offline servers into consideration. In the physical world, a dark server is a dead one. But in the virtual world, suspended or archived servers can be updated via virtualization-aware patch management tools. VM templates and base images also have to be maintained and patched. Lacking these tools, shops should vet each VM to check for currency and compliance, applying all patches before releasing a guest server to production.

1 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The count in MultiSvGet, GetAttributes, and MultiSvSet is not checked in the HiQnet Protocol, leading to remote code execution.
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A type confusion issue affects MultiSvSetAttributes in the HiQnet Protocol, leading to remote code execution.
PUBLISHED: 2021-05-13
An issue was discovered in HERMES 2.1 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. The SH2 MCU allows remote code execution.